oh, sorry, let me clarify one thing I said wrong.
There are two types of asymmetric cryptography (not actually the whole story but will do for now) signing, and exchange.
you create a signature with a signing (private) key, and it's verified with a corresponding public key.
Then there are also exchange keys, or called diffie-helman keys. There isn't really a widely used name for this type of key, mainly i think because it doesn't have a simple real-world metaphor like "signing" does. Anyway, exchange keys take your public key, and my secret key then combines the together to produces a shared exchange key.
In nacl
this operation is called scalarmult
. That is an implementation detail really, in classic DiffieHelman a different mathematical operation is used, but it has the same behavior. That is, we can each take the other's public key, and our own secret key, and produce a key that essentially represents a relationship between us.
In nacl both types of keys are used, signing keys are ed25519 keys, and exchange keys are curve25519 keys. sign
uses ed25519
keys, and scalarmult
takes curve25519
.box
takes two exchange keys, and then uses scalarmult
internally. There is also another function secretbox
that just takes a symmetric key, say the output of scalarmult
.
To encrypt a private key, you probably don't encrypt it to anyone, so secretbox
is the one to use. Also, you'll need to generate the key the first time, and then later, you'll need to restore it. To do that, you need a seed. That is just a random number, but make sure it's really random. instead of encrypting the private key, encrypt the seed, then regenerate the keypair from that seed.